LuCI bug 2816 was simply a LuCI file transfer problem during file upload, nothing really difficult to spot/avoid. But you are right, that bug exists in specifically 18.06.4 and may affect sysupgrade. (For others: the bug does not exist in the earlier 18.06.(0-3) versions, and also not in 18.06.5/.6 where it was already fixed)
Three options of sysupgrading from 18.06.4 in growing difficulty:
Simply check the SHA256 at the LuCI confirmation screen that it matches the expected value (like always with every sysupgrade...)
Avoid LuCI in sysupgrade from 18.06.4. Transfer file manually to /tmp and use ssh console for sysupgrade
opkg upgrade liblucihttp and liblucihttp-lua so that you have the fixed version 2019-07-05 instead of the buggy 2019-06-05
And in general, the bug materializes rarely, as it requires that a combination of a binary combination 0D 0A (CR LF) happens just at the http file transfer MIME packet boundary. The probability of hitting it is maybe firmware size 7000000 * 1/65536 * number of http mime packets 7000 (?) = a few percents.
Most users will never hit that bug.